Elusive New Viruses Can Avoid Detection By Dennis Flanders While computer users nationwide took time to download anti- virus software to detect the latest viral strains, someone was busy creating the electronic version of the stealth bomber. The "stealth" viruses are the deadliest infection to date. At one time the message "126 files scanned - No viruses detected" would cause a sigh or relief. Now it may mean "126 files scanned - 126 files infected." Not only do these evasive new bugs elude detection, they can turn your favorite scan program into a "typhoid Mary." Most viruses announce their presence by doing such obvious things as consuming system resources, destroying files or causing distinctly abnormal actions on the screen. The stealth virus, on the other hand, quietly sits in the computer's memory doing nasty things to your system over a long period. The 4096 virus is destructive to both data and executable files. Because the virus slowly cross-links files on the system's disk, it gives little indication of its presence. The cross-linking occurs so slowly that it appears there is a hardware problem when it is the result of the virus manipulating the FATs and changing the number of available sectors. Masquerading as hardware failures, stealth viruses can cause much time and money to be wasted chasing the wrong problem and repairing good equipment. After finally discovering the virus the infected PC's data and programs may be beyond recovery. Often several generations of backups will contain files contaminated or destroyed by the virus. Currently 4096 and Joshi-B are the most prevalent of the stealth viruses. Once installed in memory, a typical stealth virus will insinuate itself between DOS and the user. It will protect itself by filtering information passed between DOS and programs. Whenever DOS opens a file, the virus will intercept the call and manipulate the file. If the opened file is not infected, it will become infected. If the file is infected the virus will make it appear to be "clean" by removing itself. Thus anti-viral scanners are unable to detect its presence. If the anti-viral software does not scan memory, the stealth virus will go completely undetected. In fact anti-viral programs will lie and report that the PC is "clean" even as it becomes the primary vehicle for infection. Commonly used programs often become the primary source for contamination. For instance, typing COPY or XCOPY will cause the virus to infect both the original and the new files. Viruses always add code to the programs they infect. For instance the 4096 virus will increase the size of an infected file by 4096 bytes. Stealth viruses also manipulate commands such as DIR that report file lengths. They will subtract the length of the viral code from the file size before passing it on to the requesting program, making it appear normal. Programs that depend on CRC checks to validate the existence of a virus are not effective. They perform their calculations on a "sanitized" version of an infected program. This causes the CRC to be correct. The only sure protection is prevention. In the past genuine hardware problems have been blamed on viruses. We may now have come full circle. Genuine virus problems may be blamed on hardware glitches, according to David Stang, chairman of the National Computer Security Association. Stang went on to say that the association's BBS (see insert) has software and clear instructions for dealing with stealth viruses. Insert: The National Computer Security Association 4401-A Connecticut Ave. NW, Suite 309 Washington, DC 20008 202-364-8252 (Voice) 202-364-1304 (Data)